Apache webserver updated to ignore Do Not Track settings in IE 10

Developers of Apache, the Internet's most widely used webserver application, have released an update that causes websites to ignore privacy settings in the upcoming release of Microsoft's Internet Explorer.

The changes, which came to light late last week, suppress privacy settings controlled by Do Not Track, a proposed Web standard that is intended to give end users a simple means to register their request that their browsing habits not be tracked by Websites and ad networks. The patch was written by Roy Fielding, one of the architects of Do Not Track, who publicly accused Microsoft of violating requirements in language accompanying the standard dictating that Do Not Track preferences be sent to websites only when users specifically enable them in configuration settings. Fielding is also an employee of Adobe Systems, developer of the ubiquitous Flash Player.

"The only reason DNT exists is to express a non-default option," Fielding wrote in a post defending the change. "That's all it does. It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization."

Fielding went on to say, "Microsoft deliberately violates the standard."

The text of the Do Not Track standard states, "The goal of this protocol is to allow a user to express their personal preference regarding tracking to each server and web application that they communicate with via HTTP, thereby allowing each service to either adjust their behavior to meet the user's expectations or reach a separate agreement with the user to satisfy all parties." It goes on to say:

"Key to that notion of expression is that it must reflect the user's preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control."

Critics of the Apache update contend Microsoft's Do Not Track implementation, which will be included in the upcoming version 10 of IE, is in compliance with the standard. A screen that is displayed when a user first uses the operating system offers two choices: Express settings and a more detailed Customized settings. The same screen explicitly states that choosing the Express option will turn on Do Not Track.

Some critics of the Apache update also claimed it was motivated by financial considerations, since many websites and most ad networks stand to profit by serving ads tailored to a specific viewer's browsing habits. Fielding is an employee of Adobe, whose widely used Flash Player is required to view many online ads.

"Adobe is actively trying to subvert privacy," privacy researcher Chris Soghoian wrote in a tweet over the weekend. "If Roy Fielding was not drawing a paycheck from Adobe, would he have submitted that patch?" he wrote in another.

Reminds me of a quote from a movie I saw yesterday: "When everyone is super, then no one will be". The same goes here, when everyone is opted out of tracking, the setting will become meaningless because the advertisers will know that's not a real choice, instead it is just a default option.

Microsoft's actions are going to end up making DNT less effective for Firefox, Chrome and all the other browsers as those advertisers who might have just given a damn and used this system before IE 10 are now going to write it off as just a gimmick of the browser makers.

The wording of the standard is quite clear. The screen prompting users that if they choose the Express option, they will enable DNT is also clear. It's adhering to the standard. They can get pissed off that they worded the standard poorly, and try and re-write the standard to avoid this situation, but it's dishonest to say it is violating the standard. The information is right there, and the user is explicitly making the choice.

A screen that is displayed when a user first uses the operating system offers two choices: Express settings and a more detailed Customized settings.

That's just trying to be slimy and weasel around the intent by obeying the technical wording. Everyone knows that the vast majority will click straight through with whatever is the default, not spend time customizing it. DNT is weak and requires cooperation to have any effect, so "oh we totally obeyed the standard" doesn't cut it if operators disagree.

Quote:

Some critics of the Apache update also claimed it was motivated by financial considerations, since many websites and most ad networks stand to profit by serving ads tailored to a specific viewer's browsing habits.

Of course financial considerations are what motivate it. Financial considerations are at the center of the entire issue, that's what it's all about.

Quote:

"Adobe is actively trying to subvert privacy," privacy researcher Chris Soghoian wrote in a tweet over the weekend. "If Roy Fielding was not drawing a paycheck from Adobe, would he have submitted that patch?" he wrote in another.

Apache is open source, and compliance with DNT is voluntary. That's the whole point of the debate! If nobody wants to exclude IE then no one will use the feature, but if operators choose to then that's not the fault of the code or anyone who wrote it. This is not some proprietary monolithic product.

DNT is supposed to be a polite way for ease relations between users and operators. What it can do is minimal, but not without value either if implemented properly, but it does require the requesting parties to be legit.

Yeah. The way it is, no one will support it server side and everyone loses. I think it's good Apache may support this. Then ad networks might, then at least everyone with alternate browsers might get the feature.

I'd be interested to know what proportion of websites actually run on the latest vanilla apache? I would assume this behaviour can be changed in the apache config files.

Its quite hard to see what Apache are hoping to achieve here. Isn't do not track about the behaviour of cookies and their use rather than their existence (since there existence can be controlled by the browser).

Reading between the obvious lines in this post it reads like the author thinks its Adobe that spiked this because all of the annoying ads on the internet have one thing in common - flash.

The wording of the standard is quite clear. The screen prompting users that if they choose the Express option, they will enable DNT is also clear. It's adhering to the standard. They can get pissed off that they worded the standard poorly, and try and re-write the standard to avoid this situation, but it's dishonest to say it is violating the standard. The information is right there, and the user is explicitly making the choice.

Obeying the letter as read by a strong POV but not the intent doesn't cut it when you're the beggar. Or are we suddenly pretending this week that users carefully read all dialog boxes before making a choice, read the entire EULA before clicking Agree, or other fictions?

To everyone claiming that MS is asking, it's in the default options. Sure, the description says so, but most people don't read that. If they're not explicitly opting in, then that's not what DNT is supposed to represent. Spirit of the law over letter of the law.

A screen that is displayed when a user first uses the operating system offers two choices: Express settings and a more detailed Customized settings.

That's just trying to be slimy and weasel around the intent by obeying the technical wording. Everyone knows that the vast majority will click straight through with whatever is the default, not spend time customizing it. DNT is weak and requires cooperation to have any effect, so "oh we totally obeyed the standard" doesn't cut it if operators disagree....DNT is supposed to be a polite way for ease relations between users and operators. What it can do is minimal, but not without value either if implemented properly, but it does require the requesting parties to be legit.

So, if I as an educated user decide to enable DNT by myself, not via the express settings, how is Apache abiding the standard? Apache has no way to determine if express settings were used, or if the user deliberately decided to enable DNT.

So, if I as an educated user decide to enable DNT by myself, not via the express settings,

How would we tell that remotely vs someone who had used the express settings pray tell? Send your complaint to Microsoft for making your decision indiscernible.

Quote:

Apache has no way to determine if express settings were used, or if the user deliberately decided to enable DNT.

Right, and so the default will be as it exists right now: if there is no way to tell, then assume express settings, which will be the vast majority.

Quote:

Apache is WRONG on this.

"Apache" isn't doing anything. If you had the chops you could go and start contributing to Apache right now, or make your own distribution. Any operators who don't care to use this won't need to, it's open source.

I don't know that I agree with Fielding's reasoning, but I do think Microsoft made a poor choice here.

Most people leave default options alone. By setting DNT on by default, they are guaranteeing that an extremely large number of users will have it on. I know privacy advocates would argue this is a good thing, but the problem is, a lot of the services the web is built on rely on advertising data for their business model.

Now, it could be argued that DNT should be on by default, but companies should be allowed to require it be off in order to use their services, thus informing customers of the privacy they give up. But for the majority of users, this will just represent an annoying extra step they have to take and few will even bother reading why. It would be much like ToS agreements are now, or how users react to UAC prompts.

If Apache hadn't done this, companies would have found a way to do it themselves. It's not a matter of being "evil", greedy, etc. Giving up a certain reasonable amount of privacy is the price of using most "free" web services. DNT only works if a small fraction of the user base actually turns it on - it's not really that different from adblock in that sense.

It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.

So instead they're going to violate everyone's privacy by tracking them by default. makes sense.

That is the default. That's how it is right now, you're tracked unless you go to significant trouble to try to prevent it client-side. The idea of DNT is that everyone will try to play nice rather then have an arms race, making the situation happier all around. DNT is specifically a non-default, that's what possibly makes the scheme work.

If you want to make a right out of it, then you'll need a legislative solution. That's certainly a reasonable position to take, but it doesn't change what DNT is.

Now, it could be argued that DNT should be on by default, but companies should be allowed to require it be off in order to use their services, thus informing customers of the privacy they give up. But for the majority of users, this will just represent an annoying extra step they have to take and few will even bother reading why. It would be much like ToS agreements are now, or how users react to UAC prompts.

This would be the other direction to go, and you correctly note it has its own tradeoffs in turn. DNT could be valuable for that reason alone though, in that it could serve to increase transparency and general education when it comes to funding. "We see you have DNT turned on, you must give an exemption to our site in order to use it" would also be an option and might be a useful choice.

the problem is, a lot of the services the web is built on rely on advertising data for their business model.

But DNT isn't stopping ads from showing up, it's just going to make the ads that are there less targeted. Advertisers will probably see a dip in revenue, but what percentage remains to be seen. However, it's not going to be the industry killer that some of them are making this out to be.

So, if I as an educated user decide to enable DNT by myself, not via the express settings,

How would we tell that remotely vs someone who had used the express settings pray tell? Send your complaint to Microsoft for making your decision indiscernible.

Quote:

Apache has no way to determine if express settings were used, or if the user deliberately decided to enable DNT.

Right, and so the default will be as it exists right now: if there is no way to tell, then assume express settings, which will be the vast majority.

Quote:

Apache is WRONG on this.

"Apache" isn't doing anything. If you had the chops you could go and start contributing to Apache right now, or make your own distribution. Any operators who don't care to use this won't need to, it's open source.

You know, if we weren't allowed to assume that "clicking through" means the person actually read and agreed with what they're being offered and approve, then accepting the ToS of a website or program via a dialog box presenting you with the choice of "Agree" or "Decline" wouldn't have any legal weight.

But wait, it does! And that's what Microsoft is doing by allowing you to choose "Express setup", which lists Do Not Track as one of the settings, and "Custom setup", where you can enable/disable it yourself, means Microsoft is in the right, here.

They don't have to make any choice discernable, because by clicking "Express setup", you made the conscious choice to enable DNT, according to the standards that we already have established over the years in the software industry.

And, you know, when I click "Express settings" when starting up a fresh Internet Explorer installation, I do so with full knowledge of the weight of the decision, and with full intent on choosing it. In IE10, therefore, when I select "Express settings", I have explicitely decided to enable Do Not Track. Whether Joe Schmoe doesn't read the text before clicking is not Microsoft's problem. It's Joe's problem.

This smells of politics and Apache needs to own up and revoke the patch.

Please note that Adobe owns sitecatalyst, scene7, adlens, and a host of other services that benefit from 3rd party cookies and other tracking cookies being allowed. There is definitely a conflict of interest there!.

I find the "you're ruining it for all of us" attitude quite offensive. It implies that only people who are so awesome that they know about some obscure setting deserve privacy, and that normal people don't deserve privacy. Call me a socialist, but that rubs me the wrong way. Defaults (or express settings here, since it is there is no default and this is the easiest explicit option) should reflect what a normal user would want if they were educated, without having to waste their time educating them about every setting and option.

How would we tell that remotely vs someone who had used the express settings pray tell? Send your complaint to Microsoft for making your decision indiscernible.

This is the issue. The justification of this is that MS is abusing the standard by making the decision for the user. So instead Apache will make the decision for them. The Apache patch is disregarding any form of user expression, be it the default setting or a customized one. How is that better for users?

Quote:

Right, and so the default will be as it exists right now: if there is no way to tell, then assume express settings, which will be the vast majority.

And fuck the people who are aware enough to attempt to get out of that? What if I, as a sysadmin, have decided that I don't want anyone in my organization to be tracked, and that I want to use the standard Express settings to eliminate issues, Apache has now decided that my informed opinion means nothing. Additionally, since none of my users are authorized to install unapproved software, they have no recourse, Apache has decided that my organization, all my users included, are to be tracked even though we have expressly enabled DNT.

Quote:

"Apache" isn't doing anything. If you had the chops you could go and start contributing to Apache right now, or make your own distribution. Any operators who don't care to use this won't need to, it's open source.

This is such a cop-out argument. Apache is allowing a patch that is directly harmful to users, and directly in contrast with the standard to go live. Apache, as a foundation, is taking a stand that advertisers have more rights than users of a particular browser.

The vast majority of users/admins that run their sites on Apache don't have the 'chops' to update the code, or the time to customize source for every application that they install. You're essentially saying "Don't talk shit on open source because you can fix it. Shut up and take it."

Or I could switch all the sites I maintain to NGINX and advocate everyone else do the same. Which I'm in the process of doing.

I have a hard time caring about this when the DNT standard appears so weak in the first place. They're asking me to enable this setting manually, turn off my extensions/settings that attempt to anonymize me, and trust that the corporation on the other side (whose business model might rely on tracking me) is going to stop tracking me as long as not too many other people also request no-tracking?

I'm not going to say this is doomed from the start, but I will say I'll believe it when I see it and I'm not changing any of my browsing habits till then.

the problem is, a lot of the services the web is built on rely on advertising data for their business model.

But DNT isn't stopping ads from showing up, it's just going to make the ads that are there less targeted. Advertisers will probably see a dip in revenue, but what percentage remains to be seen. However, it's not going to be the industry killer that some of them are making this out to be.

And less targeted ads are less useful ads to both the advertiser and the consumer (people don't like ads for things they have no interest in). Targeted ads mean that we can be shown fewer ads, because it becomes more likely that the ones we're shown will be relevant.

Essentially, it leaves companies with few options:

- Ignore the setting like Apache is doing - Respect setting, but find other ways to increase revenue, such as showing users more ads - Respect setting, but cut services due to lost revenue

So it won't kill the industry, but it will be a net loss for the web. Apache's solution is essentially to maintain the status quo rather than degrade the web, and I argue that if they hadn't done it, then companies would have done it themselves.

I don't know that I agree with Fielding's reasoning, but I do think Microsoft made a poor choice here.

Most people leave default options alone. By setting DNT on by default, they are guaranteeing that an extremely large number of users will have it on. I know privacy advocates would argue this is a good thing, but the problem is, a lot of the services the web is built on rely on advertising data for their business model.

A lot of services on the web don't rely on advertising data but on advertising payments. That does not specifically include tracking a person around the web, it is mostly for analytic and advertisement companies to have extra info on your activities. I believe there are sufficient consumer laws that protect us IRL.

I love the hypocrisy of what Fielding says. He claims that DNT is about the expression of a choice between personalization and privacy. Then why is it DISABLED by default? If it were really an expression of choice then the standard would require all browsers using the standard to prompt the user first! I support what Microsoft is doing. If DNT falls through, the government is going to step in at some point. That is what is driving DNT in the first place, the desire to fix the problem before the government steps in. Advertisers really need to realize that if they don't loosen up, the government will likely come down on them harder than Microsoft.

This is why voluntary Do Not Track is a complete joke. Regardless of changes to web servers, sites' privacy policies, etc. it will never provide users with any privacy in the absence of legal enforcement and onerous sanctions.

Luckily, IE10 still supports Tracking Protection Lists, which don't rely on the honesty of a bunch of advertisers to function as expected. Invest a few mouse clicks in enabling TPL and selecting one or more lists, and you're protected.

This is the issue. The justification of this is that MS is abusing the standard by making the decision for the user. So instead Apache will make the decision for them.

Wrong, you've got the situation mixed up. Their are two, different parties in the transaction here: the user, and the site operator. The browser and related is on the user side. Apache is on the site operator side. You are making them out to be the same thing, but they aren't, and that's the point. The site operator isn't making a decision for the user, they're making a decision for themselves on how to react to information they're getting.

To all of you saying that by putting it into the express setting they are violating the standard. Would it also be wrong if they put it into a second screen that reads "Do you want to be tracked by advertising agencies?" "Yes/No"

Because I guess that a lot of people is going to say no to that question. And ad agencies are going to invent a new excuse to ignore the DNT IE10 setting.